nothing really, im a windows .NET developer trying to learn unix to expand my horizons. So far I like BSD ALOT better then windows. The best way to learn something is to actually use it, read and ask alot of questions.

None of this is necessary or recommended, OpenBSD is already "hardened".. bumping the kern.securelevel will only serve to bite you in the butt.

Setting the schg flag is just silly, you'll have to boot into single-user mode if you ever need to recompile your kernel or adjust firewall rules.. you cannot remove those flags unless the securelevel is <= 0.

Best way to harden OpenBSD... install it and turn off ssh; place claymore mines around computer, face toward intruders. Problem solved.

@windows 2 unix: You might also like to read the Art of Unix Programming, and some of the long ago depreciated docs on porting software from POSIX/Unix to Windows: it usually demonstrates the fundamental differences in the programming environment, if you're familiar with C.

@windows 2 unix: You might also like to read the Art of Unix Programming, and

Are you kidding? That book is a joke written by couple Linux guys who have heard of the Art of Computer Programming. If you want to read one intro book about Unix the Unix Programming Environment by Brian Kerrnighan and Rob Pike is the way to go.

None of this is necessary or recommended, OpenBSD is already "hardened".. bumping the kern.securelevel will only serve to bite you in the butt.

I completely agree with the first part of your comment Oko, also the second part, that said i DO use securelevel=2 on my firewall, why? because i do NOT change alot on it, not even reload pf rules. By default after a reboot i am at securelevel=1, i change this manually to 2, that's just me, i like to use it and do believe in the right circumstances (firewall) it's beneficial.

If or when i do need to edit/reload something i log into my firewall locally and "shutdown now" to single user mode, then "exit" back up, leaving me at securelevel=1, then i make my changes, confirm them, and then type "sysctl -w kern.securelevel=2" and finish.

I also use tools like AIDE and sha checksums on log files, binaries and config files, in addition i run snort and portsentry and a HARD pf.conf file. I also use tools like bwm-ng, pftop, ntop, tcpdump and trafshow to inform me. In addition nessusd and nmap help too.

I use chflags, on SOME files, mostly just log files, binaries and config files, chflags are TRICKY and MUST be tested before you deploy, i have had it RUIN some setups with one simple enter ...

Remember that a misconfigured or worse unknown user account or buggy serivce can make your security life hell, even a well intended rm * (silly example i know) in the wrong directory could give you a large headache.

That also said, OpenBSD is pretty dam secure by default, and all this maybe quite unnecessary, but it makes me feel safer

__________________
The more you learn, the more you realize how little you know ....

This perception of "just" probably needs to be changed, security is ongoing and your router/firewall is the nexus point of your network, your "doorman" if you will. It is the first line of defense in what should be a ringed style of layered goodness.

Also recall that any user can comprimise security unintentionally or otherwise, making all this useless to some degree, wisedom of what you are doing or want to do is more important that what software/hardware you are using.

__________________
The more you learn, the more you realize how little you know ....

I have acutally given my real IP to script kiddies (after they mouthed off about how 1337 they were) and dared them to attack, this one was a CounterStrike server (back about 6 years ago before that Source crap) running on OpenBSD with linux emulation.

The only thing on that server that was "hardend" was the pf.conf file, and i recall that i did not have any state limiting or anything that has since been added to PF.

Needless to say i was VERY confident about it's security, and guess what? NO interuptions to gameplay whatsoever, i believe he even tried some of the "cool" cheats that CS had back then, with the server shutdown and all, NOTHING worked on it, YAY OPENBSD

__________________
The more you learn, the more you realize how little you know ....

None of this is necessary or recommended, OpenBSD is already "hardened".. bumping the kern.securelevel will only serve to bite you in the butt.

I completely agree with the first part of your comment Oko

That was me, not Oko.. if this device is physically secure and there are no external users accessing it, then it makes little sense to disable your ability to modify pf configuration or write to raw devices, but whatever tickles your fancy.

That was me, not Oko.. if this device is physically secure and there are no external users accessing it, then it makes little sense to disable your ability to modify pf configuration or write to raw devices, but whatever tickles your fancy.

RightO, BSDfan666 = Oko, promise not to again.

That does tickle my fancy (i am paranoid hence i use OpenBSD for ALL my servers), firewalls should not be "touched" while in production, if it needs to be edited "shutdown now" and "exit" get me to where i want to be and take about 10 seconds. Just the way i do it, i do not find it a hassle in any way and was just sharing.

__________________
The more you learn, the more you realize how little you know ....